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Abstract — We formalize automated analysis techniques for the 
validation of web services specified in BPEL and a RBAC variant 
tailored to BPEL. The idea is to use decidable fragments of first- 
order logic to describe the state space of a certain class of web 
services and then use state-of-the-art SMT solvers to handle their 
reachability problems. To assess the practical viability of our 
approach, we have developed a prototype tool implementing our 
techniques and applied it to a digital contract signing service 
inspired by an industrial case study. 

I. Introduction 

Context and motivation: The design of security-sensitive 
web services is an error-prone and time-consuming task. The 
reasons of these difficulties are manyfold. A web service is 
(often) obtained as a composition of several simpler services 
executed in a distributed environment. So, because of the 
huge number of possible interleavings and the subtle interplay 
between the data and the control part of the processes, it is 
very difficult — if not impossible — for a human to foresee all 
the possible behaviors. Furthermore, the workflow of the ap- 
plication is usually constrained by the enforcement of access- 
control policies that forbid the execution of certain operations 
or the access to shared resources by certain users and can 
easily over-constrain or under-constrain the possible behaviors. 
As a consequence, in the first case, correct behaviors are 
prevented, thereby decreasing the overall dependability of the 
service, while in the second case, incorrect behaviors are 
possible that may open security breaches, thus destroying the 
dependability of the service. 

Hence, automated techniques for the validation of security- 
sensitive web services at design time are needed to assist the 
designers and avoid expensive actions for the correction of 
errors after deployment. While this is only a preliminary step 
in the direction of building highly dependable web services, 
it constitutes a necessary stepping stone for the application of 
other techniques at run-time for orchestration and coordination 
of services and for enforcing access policies. 

Contributions: In this paper, we formalize automated 
analysis techniques for the validation of web services specified 
in BPEL and a variant of RBAC tailored to BPEL as proposed 
in (T). RBAC (see, e.g., Q) is one of the most successful 



models for access control in large and complex applications. 
Our idea is to translate a BPEL process to a particular class 
of transition systems, described by arithmetic constraints and 
called Vector Addition Systems (VASs), and to encode the 
RBAC specification in a decidable class of first-order formu- 
lae, called Bernays-Schonfinkel-Ramsey (BSR). We study the 
goal reachability problem (to which several analysis problems 
can be reduced) of the resulting class of transition systems. 
Theoretically, we prove the decidability of the reachability 
problem for a particular class of transition systems modeling 
BPEL processes where no loops occur. Pragmatically, to assess 
the viability of our approach, we have developed a prototype 
tool called WSSMT, which implements our techniques and 
uses state-of-the-art theorem-proving techniques recently de- 
veloped in the area of Satisfiability Modulo Theories (SMT) 
and featuring a good trade-off between scalability and expres- 
siveness. We report on the application of WSSMT on a digital 
contract signing service inspired by an industrial case study. 

Related work: While BPEL semantics is given in natural 
language in Q, there have been many attempts to give a 
formal semantics of the language in terms of Petri nets, 
e.g., 0. The formalization is useful in two respects: it elim- 
inates possible ambiguities in the natural language semantics 
and it permits the formal analysis of BPEL processes at the 
design time. Although there are tools (e.g., [5]) that provide 
automated support for the translation from BPEL to Petri 
nets and the subsequent analysis, they (to the best of our 
knowledge) only model the control flow and abstract away 
from the data manipulation. Recently, there have been attempts 
at extending Petri nets with some data modeling and reasoning 
capabilities by using fragments of first-order logic (FOL) for 
which efficient SMT solvers exist 0. Instead of a hybrid 
representation, we chose to develop our techniques in a first- 
order framework by exploiting the well-known connection 
between Petri nets and VASs (see, e.g., Q, 0) and then to 
extend it along the lines suggested in [9| to incorporate the 
access-control layer in a uniform way. The work in studies 
the decidability of symbolic executions with bounded length 
for more general classes of services while here we focus on a 
particular class of applications whose sets of reachable states 



can be finitely described by suitable fragments of FOL. The 
work in ifTUll is closely related to ours with respect to the 
structure of the specification divided in two layers, one for 
the workflow and one for access control. However, [10] does 
not provide a decidability result for the reachability problem 
as we do in this paper. 

Organization: §|ll] briefly introduces the languages used 
to specify the class of web services we consider, i.e. BPEL and 
RBAC4BPEL, together with a concrete example that we use to 



illustrate the key features of the formal framework. § III recalls 
the definition of two-level transition system introduced in [9|, 
and its related reachability problem, explains how BPEL and 
RBAC4BPEL specifications can be translated to this class of 
transition systems, and proves the decidability of the reach- 
ability problem for two-level transition systems obtained by 
translating a class of acyclic Petri nets (called workflow nets). 



IV discusses how our techniques have been implemented and 



applied to a digital contract signing service, inspired by an 
industrial application. In §[V] we draw conclusions and discuss 
future work. Proofs of the formal results are given in an 
appendix. 

II. BPEL, RBAC4BPEL, AND A MOTIVATING EXAMPLE 

We characterize the class of applications we are interested in 
by using the Purchase Ordering (PO) process introduced in (TJ. 
To make the paper self contained, in this section, we briefly 
illustrate the example and give a high-level description of the 
languages used to specify it. The PO process is composed of 
six activities: the creation of a purchase order for a certain 
good (crtPO), the approval of the order before dispatching the 
good to the supplier (apprPO), the acknowledgement of the 
delivery by signing (signGRN) and then countersigning (ctr- 
signGRN) the goods-received note, the creation of a payment 
file on receipt of the supplier's invoice for the good (crtPay), 
and the approval of the payment to the supplier (apprPay). 
For the PO process to complete successfully, the order of 
execution of the various activities should satisfy the following 
constraints: crtPO must be executed before apprPO which, in 
turn, must be executed before the remaining four activities; 
crtPay can be done in parallel with both signGRN and ctr- 
signGRN but before apprPay; and signGRN, ctrsignGRN, and 
apprPay must be executed in this order. The workflow (WF) 
level of the application should enforce these dependencies that 
are induced by the application logic of the PO process. 

A. The WF level and BPEL 

In HI, the Business Process Execution Language (BPEL 0) 
is used to describe a (executable) specification of the WF 
level of an application. In Fig. [T] we show a high-level 
BPEL specification of the WF level of the PO process. The 
<process> element wraps around the entire description of 
the PO process. The <sequence> element states that the 
activities contained in its scope must be executed sequen- 
tially. The <flow> element specifies concurrent threads of 
activities. The <invoke> element represents the invocation 
of an activity that is provided by an available web service. 



<process name="PO"/> 
<sequence> 

<receive operation="crtPO" ... > </receive> 
<invoke operation="apprPO" ... > </invoke> 
<f low> 

<sequence> 

<invoke operation="signGRN" ... > </invoke> 
<invoke operation="ctrsignGRN" ... > </invoke> 
</sequence> 

<invoke operation="ctrPay" ... > </invoke> 
</f low> 

<invoke operation="apprPay " ... > </invoke> 
</ sequence> 
</process> 

Fig. 1. The WF level of the PO process: BPEL. 




Fig. 2. The WF level of the PO process: Petri Net corresponding to BPEL 
in Fig. [T] 



Finally, the <receive> element represents the invocation 
of an activity that is provided by the BPEL process being 
described. Indeed, BPEL provides a variety of constructs (e.g., 
to represent variables) that are ignored here for simplicity; 
the interested reader is pointed to J3]. In the case of the PO 
process, it is easy to see that the constraints on the execution 
described above are all satisfied by the nesting of control 
elements in Fig. [T] For example, because of the semantics 
of <sequence>, crtPO will be executed first while apprPay 
will be the activity finishing the PO process. 

Fig. [2] shows a Petri net that can be seen as the (formal) 



U := {ui, ii2, it 3 , M4, u 5 } R := {Manager, FinAdmin, FinClerk, PO Admin, POC'lerk} 

P := {p\,...,p^\ ua := {(u\, Manager), (112, FinAdmin), (113, FinClerk), (114, PO Admin), (u§, POClerk)} 

pa := {(FinClerk, P4), (FinAdmin, p^), (POClerk, p^), (PO Admin, pi)} 

y least partial order s.t. Manager y FinAdmin, Manager y PO Admin, 

FinAdmin y FinClerk, and PO Admin y POClerk. 

Fig. 3. The PM level of the PO process: RBAC 



semantics of the BPEL process in Fig. [T] Before being able 
to sketch the mapping from BPEL processes to Petri nets, we 
recall the basic notions concerning the latter. 

A Petri net is a triple (P, T, F), where P is a finite set of 
places, T is a finite set of transitions, and F (flow relation) is 
a set of arcs such that POT = and F C (P x T) U (T x P). 
Graphically, the Petri net (P, T, F) can be depicted as a 
directed bipartite graph with two types of nodes, places and 
transitions, represented by circles and rectangles, respectively; 
the nodes are connected via directed arcs according to F 
(where arcs between two nodes of the same type are not 
allowed). A place p is called an input (resp., output) place 
of a transition t iff there exists a directed arc from p to t 
(resp., from t to p). The set of input (resp., output) places of a 
transition t is denoted by »t (resp., t»); »p and pu are defined 
similarly. A path in a Petri net (P, T, F) is a finite sequence 
eo, ...,e n of elements from PUT such that e,+i £ ej» for 
each i = 0, n — 1; a path eo, e„ in the net is a cycle if 
no element occurs more than once in it and eo £ e n » for some 
n > 1. A Petri net is acyclic if none of its paths is a cycle. 
A marking of a Petri net (P, T, F) is a mapping from the set 
P of places to the set of non-negative integers; graphically, 
it is depicted as a distribution of black dots in the circles of 
the graph representing the net. A transition t is enabled in a 
marking m iff each of its input places p is such that m(p) > 1, 
i.e., p contains at least one token. An enabled transition t in 
a marking m may fire by generating a new marking m', in 
symbols m — » to', where m'(p) — m(p) if p (jL (•t U 
rn'(p) = ?n(p) — 1 if p € and m' (p) — m(p) + 1 if p € i», 
i.e. t consumes one token from each input place of t and 
produces one token in each of its output places. A marking to 
is reachable from too, in symbols too — >* m, iff there exists 
a sequence mi, ...,m„ of markings such that to, -4 TO i+1 for 
i = 0, ...,n — 1 and m„ = to, for some n > 0. (In case 
n = 0, we have that mo = to.) Given a Petri net (P, T, F) 
and a marking to, an instance of the reachable problem for 
Petri nets consists of checking whether too — >* to or not. A 
workflow (WF) net [11 1 is a Petri net (P,T,F) such that (a) 
there exist two special places i, o £ P with ui = and o» = 0; 
and (b) for each transition t £ T, there exists a path 7r in the 
net beginning with i and ending with o in which < occurs. 

The idea underlying the Petri net semantics of BPEL is 
simple. Activities are mapped to transitions (the rectangles 
in Fig. [2]i and their execution is modeled by the flow of 
tokens from input places to output places. When two BPEL 
operations are enclosed in a <sequence> element (e.g., 



crtPO and apprPO), two transitions are created (as in Fig. [2]) 
with one input place (resp., pi and p^) and one output place 
each (resp., p 2 and p 3 ), and the input place of the second is 
identified with the output place of the first one (p 2 )- When two 
BPEL operations are in a <flow> element (e.g., ctrPay and 
the sequence of operations signGRN and ctrsignGRN), four 
transitions are created: one to represent the split of the flow, 
one to represent its synchronization (join), and one for each 
activity that can be executed concurrently with the appropriate 
places to connect them (in Fig. |2j when a token is in place 
Pz, the 'flow split' transition is enabled and its execution 
yields one token in place P4 and one in p$, which enables 
both transitions signGRN and ctrPay that can be executed 
concurrently; the two independent threads of activities get 
synchronized again by the execution of 'flow join', which is 
enabled when a token is in p$ and a token is in pg,). It is easy 
to see that the Petri net of Fig. [2] is an acyclic WF net where 
Pi is the special input place i, pio is the special output place 
o, and each transition occurs in a path from pi to pio- 

B. The policy management (PM) level and RBAC4BPEL 

Besides the dependencies imposed by the WF level, con- 
straints on the execution of the activities derived from security 
requirements are of crucial importance to ensure the depend- 
ability of the application. In this paper, we focus on a particular 
class of security requirements that pertain to the access-control 
policy. The policy management (PM) level of the application 
is charged to enforce these constraints. 

In fT|, an extension of the Role Based Access Control 
(RBAC) framework — adapted to work smoothly with BPEL, 
denoted with RBAC4BPEL — is used to specify the PM level 
of applications. The components of RBAC4BPEL are: (i) a set 
U of users, (ii) a set R of roles, (iii) a set P of permissions, 

(iv) a role hierarchy y (i.e. a partial-order relation on R), 

(v) a user-role assignment relation ua, (vi) a role-permission 
assignment relation pa, and (vii) a set A of activities and 
a class of authorization constraints (such as separation-of- 
duty) to prevent some user to acquire permissions in certain 
executions of the application (see below for details). Note that 
components (i)-(vi) are standard in RBAC while (vii) has been 
added to obtain a better integration between the PM and the 
WF levels. 

First, we describe components (i)-(vi) and some related 
notions. A user u 6 U is assigned a role r £ R if (u, r) £ ua 
and permissions are associated with roles when (p, r) £ pa. In 
RBAC4BPEL, a user u £ U has a permission p if there exists 
a role r £ R such that (u, r) £ ua and (p, r) £ pa. (We will 



see that each permission is associated to a right on a certain 
activity in A — e.g., its execution — of a BPEL process.) The 
role hierarchy >^C RxRis assumed to be a partial order (i.e., a 
reflexive, antisymmetric, and transitive relation) reflecting the 
rights associated to roles. More precisely, a user u is an explicit 
member of role r € R if (u, r) E ua and it is an implicit 
member of role r € R if there exists a role r' € R such that 
(r',r) E>: (abbreviated as r' y r), r' ^ r, and (u,r') E ua. 
Thus, y induces a permission inheritance relation as follows: 
a user u E U can get permission p if there exists a role r E R 
such that u is a member (either implicit or explicit) of r and 
(p, r) E pa. For simplicity, we abstract away the definition of 
a role in terms of a set of attributes as done in (TJ. 

Fig.|3]shows the sets U, R, P and the relations y, ua,pa for 
the PM level of the PO process. Although (Manager, pi) ^ 
pa for any i = 1, 5, we have that user u\, which is explicitly 
assigned to role M anager in ua, can get any permission pi for 
i = 2, 5 as Manager y r for any role r E R\{Manager}, 
hence u% can be implicitly assigned to each role and then get 
the permission pi. 

In RBAC4BPEL, each permission in P is associated with 
the right to handle a certain transition of T, uniquely identified 
by a label in A, for a Petri net (P, T, F) . For the PO process, 
this is particularly simple since only the right to execute a 
transition is considered. So, p\ is the permission for executing 
apprPO, P2 for signGNR, p 3 for ctrSignGNR, p 4 for crtPay, 
and ps for apprPay. We are now in the position to describe 
component (vii) of RBAC4BPEL. Note that there are no 
permissions associated to 'flow split' and 'flow join' as these 
are performed by the BPEL engine and thus no particular 
authorization restriction must be enforced. 

A role (resp., user) authorization constraint is a tuple 
(D, (ti,t 2 ),p) if D C R (resp., D C U) is the domain of 
the constraint, p C R x R (resp., p C U x U), and t\, t 2 are 
in A. An authorization constraint (D, (t\,t 2 ),p) is satisfied if 
(x, y) & p when x,y E D, x performs t l5 and y performs t 2 . In 
other words, authorization constraints place further restrictions 
(besides those of the standard RBAC components) on the 
roles or users who can perform certain actions once others 
have been already executed by users belonging to certain 
roles. Constraints of this kind allow one to specify separation- 
of-duty (SoD) by (D,(t 1 ,t 2 ),^), binding-of-duty (BoD) by 
(D, (ti,t 2 ), =), or any other restrictions that can be specified 
by a binary relation over roles or users. 

For the PO process, (vii) of RBAC4BPEL is instantiated as: 

(U, (apprPO, signGNR), £), (U, (apprPO, crtSignGNR,), 
(U, (signGNR, crtSignGNR), (R, (crtPay, apprPay), -<), 

where -<:= {(V l7 r 2 ) | r x ,r 2 E R, r 2 y r x , r x ^ r 2 } (recall 
that the sets U and R are defined in Fig. [3J. 

This concludes the description of the class of applications 
that we consider. We now proceed to introduce our techniques 
to analyze such applications. 

III. Formalization and Automated Analysis 

From now on, we assume that the WF level of an application 
is specified by a Petri net and the PM level by an instance 



of the RBAC4BPEL framework. We use two-level transition 
systems |9| to represent the WF level and the PM level of 
a web-service and we study the reachability problem for a 
sub-class. 

A. Two-level transition systems and goal reachability 

We assume the basic notions of FOL (see, e.g., Ifl2l ). A 
two-level transition system Tr is a tuple 

(x,p, In(x,p), {Ti(x,p,x' ,p') | i = 1, n}), 

where i is a tuple of WF state variables, p is a tuple of 
PM state variables, the initial condition In(x,p) is a FOL 
formula whose only free variables are in x and where PM state 
variables in p may occur as predicate symbols, the transition 
Ti(x,p,x' ,p') is a FOL formula whose only free variables 
are in x,x' and where PM state variables in p,p' may occur 
as predicate symbols (as it is customary, unprimed variables 
in Tj refer to the values of the state before the execution of 
the transition while those primed to the values of the state 
afterward) for i = 1, n and n > 1. 

We assume there exists a so-called first-order underlying 
structure (D, I) of the transition system Tr, where D is the 
domain of values and / is the mapping from the signature to 
functions and relations over D, and in which the state variables 
and the symbols of the signature used to write the formulae In 
and Ti for i — 1, n are mapped. A state of Tr is a pair v := 
(v x , v p ) of mappings: v x from the WF state variables to D and 
v p from the PM state variables to relations over D. A run of Tr 
is a (possibly infinite) sequence of states v°, v 1 , v n , ... such 
that (a) v° satisfies In, in symbols v° \= In, and (b) for every 
pair v % , v l+1 in the sequence, there exists j E {1, ...,n} such 
that v l ,v l+1 satisfies Tj, in symbols v l ,v l+1 |= Tj, where the 
domain of v l is x, p and that of v l+1 is x' ,p'. Given a formula 
G(x,p), called the goal, an instance of the goal reachability 
problem for Tr consists of answering the following question: 

does there exist a natural number I > such that the formula 

i-i 

In (xo>P ) A A r fe'Ei'^+i'P i+ i) A G (xi>P e ) (!) 

i—o 

is satisfiable in the underlying structure of Tr, where 
are renamed copies of the state variables in x, pi (When £ = 
0, (fll is simply In(x Q ,p Q ) A G(x ,p ).) The interest of the 
goaTreachability problem lies in the fact that many verification 
problems for two-level transition systems, such as deadlock 
freedom and invariant checking, can be reduced to it. 

B. Forward reachability and symbolic execution tree 

If we were able to check automatically the satisfiability of 
l[lj, an idea to solve the goal reachability problem for two- 
level transition systems would be to generate instances of ([T]) 
for increasing values of I. However, this would only give us a 
semi-decision procedure for the reachability problem. In fact, 
this method terminates only when the goal is reachable from 
the initial state, i.e. when the instance of ([TJ for a certain 
value of I is unsatisfiable in the underlying structure of the 
transition system Tr. But, when the goal is not reachable, 
the check will never detect the unsatisfiability and we will 



be bound to generating an infinite sequence of instances of 
([TJ for increasing values of I. That is, the decidability of the 
satisfiability of ([TJ in the underlying structure of Tr is only a 
necessary condition for ensuring the decidability of the goal 
reachability problem. 

We can formalize this method as follows. The post-image 
of a formula K(x,p) with respect to a transition n is 

Post(K,n) := 3x',p'.{K(x',p') A n(x' ,p' ,x,p)). 

For the class of transition systems that we consider below, 
we are always able to find FOL formulae that are equivalent 
to Post(K,Ti). Thus, the use of the second-order quanti- 
fier over the predicate symbols in p' should not worry the 
reader (see § III-D for details). Now, define the following 
sequence of formulae by recursion: FR q (K,t) := K and 
FR 1+1 (K.t) := Post l {FR\r) V FR 1 (K,t), for i > 
and r := Vk=i T i- The formula FR (K, In) describes the 
set of states of the transition system Tr that are forward 
reachable in i > steps. A fix-point is the least value of £ 
such that FR 1+1 (t, In) => FR £ (t, In) is true in the structure 
underlying Tr. Note also that FR e (r,In) =4> FR e+1 (r, In) 
by construction and hence if FR e+1 (r, In) FR £ (t, In) 
is valid, then also FR e (r, In) FR 1+1 (t, In) is so and 
FR e (r, In) O FR 1 ' (r, In) for each £' > I. Using the 
sequence of formulae FR°(r, In), Fi? 1 (r, In), ... it is pos- 
sible to check if the goal property G will be reached by 
checking whether FR e (r, In) AG is satisfiable in the structure 
underlying Tr for some I > 0. In case of satisfiability, 
we say that G is reachable. Otherwise, if FR l (r,In) is a 
fix-point, the unsatisfiability of FR e (r, In) A G implies that 
G is unreachable. Finally, if FR 1 (t, In) is not a fix-point 
and FR 1 (t, In) A G is unsatisfiable, then we must increase 
the value of £ by 1 so as to compute the set of forward 
reachable states in £ + 1 steps and perform the reachability 
checks again. Unfortunately, also this process is not guaran- 
teed to terminate for arbitrary two-level transition systems. 
Fortunately, we are able to characterize a set of transition 
systems, corresponding to a relevant class of applications 
specified in BPEL and RBAC4BPEL, for which we can pre- 
compute an upper bound on £; this paves the way to solving 
automatically the goal reachability problem for these systems. 
To this end, we consider three sufficient conditions to automate 
the solution of the goal reachability problem. First, the class 
C of formulae used to describe sets of states must be closed 
under post-image computation. Second, the satisfiability (in 
the structure underlying the transition system) of C must be 
decidable. Third, it must be possible to pre-compute a bound 
on the length of the sequence FR° , FR 1 FR 1 of formulae. 
Below, we show that these conditions are satisfied by a class 
of two-level transition systems to which applications specified 
in BPEL and RBAC4BPEL can be mapped. For ease of 
exposition, we first consider the WF and PM levels in isolation 
and then show how the results for each level can be modularly 
lifted when considering the two levels together. Before doing 
this, we introduce the notion of 'symbolic execution tree.' The 
purpose of this is two-fold. First, it is crucial for the technical 



development of our decidability result. Second, it is the starting 
point for the implementation of our techniques as discussed 
in 



IV 



The symbolic execution tree of the two-level transition 
system Tr is a labeled tree defined as follows: (i) the root 
node is labeled by the formula In, (ii) a node n labeled 
by the formula K has d < n sons ni,...,nd labeled by the 
formulae Post{r\, K), Posted, K) such that Post(jj,K) 
is satisfiable in the model underlying Tr and the edge from 
n to nj is labeled by tj for j = l,...,d, (iii) a node n 
labeled by K has no son, in which case n is a final node, 
if Post(rj, K) is unsatisfiable in the underlying model of 
the VAS, for each j = l,...,n. A symbolic execution tree 
is 0-complete if it consists of the root node labeled by the 
formula In, it is (d + \)-complete for d > if its depth is 
d + 1 and for each node n labeled by a formula K n at depth 
d, if Post(rj,K n ) is satisfiable, then there exists a node n' 
at depth d + 1 labeled by Post(Tj,K n ). In other words, a 
symbolic execution tree is d-complete when all non-empty sets 
of forward states reachable in one step represented by formulae 
labeling nodes at depth d— 1 have been generated. It is easy to 
see that the formula FR l (K, In), describing the set of states 
of the transition system Tr forward reachable in I > steps, 
is equivalent to the disjunction of the formulae labeling the 
nodes of an ^-complete symbolic execution tree. This will be 
proved for the classes of two-level transition systems that we 
consider below. 

C. WF nets and terminating forward reachability 

We consider a particular class of two-level tran- 
sition systems, called Vector Addition System (VAS), 
(x,In(x),{Ti(x,3f) | i = 1, ...,n}), such that (a) p = 0; 
(b) their underlying structure is that of integers; (c) each WF 
state variable in x = Xi, ...,x m ranges over the set of non- 
negative integers; (d) the initial condition In(x) is a formula 
of the form Xi Cxi c\ A • • • A x m tx c m , where Cj is a natural 
number for j = 1, ...,m and dxig {=, 7^, >, >}; and (e) each 
transition Ti, for i = l,...,n, is a formula of the form 

/\xi>0A /\ x'j=Xj + lA f\ x' k =x k -lA /\ x\=x u 
ieP j£U+ keu- ieu= 

where P,U + ,U~,U = are subsets of {l,...,n} such that 
U + , U~ , U = form a partition of {1, 71} . 

It is well-known that Petri nets and VASs are equivalent 
in the sense that analysis problems for the former can be 
transformed to problems of the latter whose solutions can be 
mapped back to solutions for the original problem and vice 
versa (see, e.g., JF|). We briefly describe the correspondence 
by considering the Petri net in Fig. [2] We associate an integer 
variable x^ to each place for i = 1, 10 whose value will 
be the number of tokens in the place. The state is given by the 
value of the integer variables that represents the marking of 
the net, i.e. a mapping from the set of places to non-negative 
integers. Formulae can be used to represent sets of states 
(or, equivalently, of markings). So, for example, the formula 
X\ — lA/\- 2 Xi — represents the marking where one token 
is in place p\ and all the other places are empty (which is the 



one depicted in Fig. [2] where the token is represented by a 
solid circle inside that represents the place p\ while all the 
other places do not contain any solid circle). The transition 
crtPO is represented by the formula 



Xi > 1 A x[ 



: Xl 



1 A x' 2 = x 2 + 1 A A Xi 



saying that it is enabled when there is at least one token in 
Pi (xi > 1) and the result of its execution is that a token is 
consumed at place pi (x\ = X\ — 1), the tokens in p 2 are 
incremented by one (x' 2 — x 2 + 1), while the tokens in all 
the other places are unaffected (x^ = xi for i = 3, 10). 
The other transitions of the Petri net in Fig. [2] are translated 
in a similar way. In general, it is always possible to associate 
a state of a VAS to a marking of a Petri net and vice versa. 
This implies that solving the reachability problem for a VAS is 
equivalent to solving the reachability problem of the associated 
Petri net. 

Now, we show that the three sufficient conditions (see 



III-B i to mechanize the solution of the goal reachability 



problem are satisfied by VASs when using forward reacha- 
bility. First, the class of formulae is closed under post-image 
computation. 

Fact 1: Post(K, r^) is equivalent to K[xj +1, Xk — 1, xi] A 



> 0, where K [xj +1, X)~ — 1, xi] denotes the formula 

1 for j e U + , x' k with 



AieP '■ 

obtained by replacing x'j with Xj - 
Xk — 1 for k € U~, and x\ with xi + 1 for j 6 U = . ■ 

As a corollary, it is immediate to derive that if K is a 
formula of Linear Arithmetic (LA) lfT3ll — roughly, a formula 
where multiplication between variables is forbidden — then 
also Post(K,Ti) is equivalent to an effectively computable 
formula of LA. Second, the satisfiability of the class of 
formulae of LA is decidable by well-known results fOI . Third, 
it is possible to pre-compute a bound on the length of the 
sequence FR° , FR 1 , FR of formulae. Using the notion 
of symbolic execution tree introduced above, once specialized 
to VASs, we can then prove: 

Lemma 1: Let PN := (P,T,F) be an acyclic workflow net 
and II be the set of all its paths. Then, the set of forward reach- 
able states of the VAS (x, In(x), {rj(x, x') | i — 1, —,n}) 
associated to PN is identified by the formula FR e (r, In) for 
I = max 7r gn{^en(7r|T)}, where tt\t is the sequence obtained 
from 7r by forgetting each of its elements in P and len^r) 
is the length of the sequence tt\t- I 

D. RBAC4BPEL and terminating forward reachability 

Preliminarily, let Enum({vi, ...,v n }, S) be the following 
set of FOL formulae axiomatizing the enumerated datatype 
with values vi,...,v n for a given n > 1 over a type S: 
Vi 7^ Vj for each pair of numbers in {l,...,n} such 

that i 7^ j and Vx. (x = V\ V • • • V x = v n ), where x is a 
variable of type S. The formulae in Enum({vi, v n }, S) fix 
the number of elements of any interpretation to be V\, v n ; 
it is easy to see that the class of structures satisfying these 
formulae are closed under isomorphism. We consider a partic- 
ular class of two-level transition systems, called RBAC4BPEL, 



(p,In(p),{Ti(p,p') | i — such that (a) x = 0; (b) 

the initial condition In(p) is of the form Vw. <p(w), where <p 
is a quantifier-free formula where at most the variables in w 
may occur free; and (c) the underlying structure is one in the 
(isomorphic) class of many-sorted structures axiomatized by 
the following sentences: 

Enum(U, User), Enum(R, Role) , 
Enum(P, Permission), Enum(A, Action), 
\/u,r.{ua{u,r) <S> \J (u = c u Ar = c r )) 

Mr,p.{pa{r,p) <S> \J (r = c r Ap = c p )) 

c r £R pa ,c p £P pa 

c r y c' r for c r ,c' r Si? 

Vr. (r y r) Vri , ri , r3 .(n >z ri A r2 f 3 => n b r 3 ) 

Vn , r2- (n b r2 Ar2 y n n = r 2 ) , 

where U, R and P are finite sets of constants denoting users, 
roles, and permissions, respectively, A is a finite set of actions, 
u is a variable of type User, r and its subscripted versions 
are variables of type Role, p is a variable of type Permission, 
U ua C U, R ua C R, R pa C R, and P pa C P; (d) p = xcd 
is a predicate symbol of type User x Action abbreviating 
executed; and (e) each n is of the form 

3u. xcd) A Vx, y.(xcd'(x, y) ((a; = u 3 A y = p) V xcd(x, y)))), 

where u is a tuple of existentially quantified variables of 
type User, Uj is the variable at position j in u, and 
is a quantifier-free formula (called the guard of the transition) 
where no function symbol of arity greater than may occur 
(the part of t,; specifying xcd' is called the update). 

We now explain how an RBAC4BPEL system can 
be specified by the formulae above on the example 
described in §[TTJ To constrain the sets of users, of 
roles, and permissions to contain exactly the elements 
specified in Fig. [3] it is sufficient to use the following 
sets of formulae: Enum{{u\, 1*2, U3, U4}, User), 
Enum({Manager, FinAdmin, FinClerk, PO Admin, PO- 
Clerk}, Role), and Enum{{pi, p 2 ,P3, Pi, P5} , Permission) . 
It is also easy to see that the formulae 

/ (u = «i A r = Manager)\J 



Vu, r.(ua(u, r) 



Vr,p.(pa(r,p) <S> 



(« = 
(« = 
(u- 

\ (« = 

(r: 
fr = 
V (r = 



«2 A r = FinAdmin)V 
113 A r = FinClerk)V 
«4 A r = POAdrain)\J 
u 5 Ar = POClerk) 

- FinClerk A p = Pi)V 

- FinAdmin A p = ps)V 
: POClerk Ap = p 3 )V 

: PO Admin A p = pi) 



are satisfied by the interpretations of ua and pa in Fig. [5] 
and that Manager y FinAdmin, Manager y PO Admin, 
FinAdmin y FinClerk, and PO Admin y POClerk 
with the three formulae above for reflexivity, transitivity and 
antisymmetry make the interpretation of y the partial order 
considered in Fig. [3] The state variable xcd allows us to 
formalize component (vii) of the RBAC4BPEL system about 
the authorization constraints. The idea is to use xcd to store 
the pair user u and action a when u has performed a so that 



the authorization constraints can be formally expressed by a 
transition involving suitable pre-conditions on these variables. 
We illustrate the details on the first authorization constraint 
considered in § II-B i.e. (U, (apprPO, signGN R),^). The 



corresponding transition can be formalized as follows: 

3xi, X2-(xcd(xi , apprPO) A x\ ^ 12 A 
Vx, y.(xcd'(x, y) 4$ ((x = X2 A y = signGN R) V xcd{x, y))). 

The guard of the transition prescribes that the user x-i 
is not the same user x% that has previously performed 
the action apprPO and the update stores in xcd the new 
pair (x2, signGNR). The following two constraints at 
the end of § |II-B| namely (U, (apprPO, ctr SignGNR),^) 
and (U, (signGN R,ctr SignGN R),^), are formalized in 
a similar way. The encoding of the last constraint, i.e. 
(R,(ctrPay,apprPay),<), is more complex and requires 
also the use of the user-role relation ua to represent the 
constraint on the role hierarchy: 

3xi , X2,ri,r2-(xcd(xi,crtPay) A ua(xi , ri) A 

ua(x2, n) a r2 y n a n ^ r2 a 

Vx, y.(xcd'(x, y) 4$ ({x = X2 A y = apprPay) V xcd(x, y))). 

The reader should now be convinced that every RBAC4BPEL 
specification can be translated into a RBAC4BPEL system. 

Now, we show that the three sufficient conditions to mecha- 
nize the solution of the goal reachability problem (see 



III-B 1 



are satisfied by RBAC4BPEL systems when using forward 
reachability. First, the class of formulae is closed under post- 
image computation. 

Fact 2: Post(K,Ti) is equivalent to 

(3u.(K(xcd) A xcd(uj,t) A xcd))) V 
(3u.(K[Xx, j/.(-i(a; = Uj A y = t) A xcd(x, y))] A 

f \u, Xx, = Uj A y = t) A xcd(x, y))])) , 

where K[\x, y.(—i(x — UjAy — t)Axcd(x, y))] is the formula 
obtained from K by substituting each occurrence of xcd! with 
the A-expression in the square brackets and then performing 
the /3-reduction and similarly for £[u, Xx,y.(^(x = Uj A y = 
t) A xcd(x, y))]. ■ 
As anticipated above when introducing the definition of 
post-image for two-level transition systems, we can eliminate 
the second-order quantifier over the predicate symbol xcd. 
Now, recall that a formula is in the Bernays-Schdnfinkel- 
Ramsey (BSR) class if it has the form 3z^/w.(j)(z,w), for <j> 
a quantifier-free formula and z n w = (see, e.g., [il4j). 
As a corollary of Fact [2] it is immediate to see that if K 
is a BSR formula, then also Post(ri,K) is equivalent — 
by trivial logical manipulations — to a formula in the BSR 
class. Since In(xcd) is a formula in the BSR class, then 
all the formulae in the sequence FR°,FR 1 ,... will also 
be BSR formulae. The second requirement is also fulfilled 
since the satisfiability of the BSR class is well-known to 
be decidable |14| and the formulae used to axiomatize the 
structures underlying the RBAC4BPEL transition systems are 
also in BSR. Third, it is possible to pre-compute a bound on 
the length of the sequence FR° , FR 1 , FR e of formulae, 
although the existential prefix grows after each computation of 



the post-image when considering the formulae describing the 
set of forward reachable states. This is so because we consider 
only a finite and known set of users so that the length of the 
existentially quantified prefix is bounded by n\ x n, where k is 
the maximal length of the existential prefixes of the transitions 
in the RBAC4BPEL system, n u is the number of users, and 
n is the number of transitions. 

Property 1: Let (p, In(p), {Ti(p,p') \ i = l,...,n}) be a 
RBAC4BPEL system, k the maximal length of the existential 
prefixes of t\, ...,t„, and n u be the cardinality of the set of 
users. Then, its symbolic execution tree is ^-complete for every 
£ > n\ x n. ■ 

The key idea of the proof is the observation that xcd is 
interpreted as a subset of the Cartesian product between the set 
of users and the set of actions whose cardinalities are bounded. 

E. Combining VASs and RBAC4BPEL systems 

We are now ready to fully specify applications that feature 
both the WF and the PM level. To do this, we consider two- 
level transition systems, called VAS+RBAC4BPEL systems, of 
the form 

(x, p, In v (x) A /n«(p) , {rf x') A rf (p, p') | i = 1, n}) , 

where x = Xi, ...,x n for some n > 1, p = xcd, Iny(x) is 
the initial condition of a VAS, Inn(p) is the initial condition 
of a RBAC4BPEL system, r,- (x, x') is a transition of a 
VAS, T^faj/) is a transition formula of a RBAC4BPEL 
system for i = l,...,n. Note that for some transition, the 
guard £ of rf-(p,p') may be tautological since the operation 
involves no access-control policy restriction (e.g., the 'flow 
split' and 'flow join' of the Petri net in Fig. [2]). It is nat- 
ural to associate a VAS and an RBAC4BPEL system to a 
VAS+RBAC4BPEL system by projection, i.e. the associated 
VAS is (x, Iny (x), {rf (x, x') | i = l,...,n}) and the asso- 
ciated RBAC4BPEL system is (p, In R (p), {r^(p,p') \ i = 
l,...,n}}. The structure underlying the ~VAS+RBAC4BPEL 
system is such that its reduct to the signature of the VAS 
is identical to the structure underlying the associated VAS and 
its reduct to the signature of the RBAC4BPEL system is iden- 
tical to the structure underlying the associated RBAC4BPEL 
system. 

We now show how it is possible to modularly compute the 
post-image of a VAS+RBAC4BPEL system by combining the 
post-images of the associated VAS and RBAC4BPEL system. 

Fact 3: Let K(x,xcd) := Ky(x) A Kn(xcd), Then, 
Post(K,Ti) is equivalent to 

Ky[xj + 1, X k — 1, Xj] A A Xi > A 
iSP 

((3u.(Kji(xcd) A xcd(iij,t) A £(u, xcd)}) V 
(3u.(Kr[\x, y.(-n(x = Uj A y = t) A xcd(x, y))] A 
Xx, j/.(-i(a = uj A y = t) A xcd(x, y))}))) 

where the same notational conventions of Facts Q] and [2] 
have been adopted. In other words, the post-image of 
a VAS+RBAC4BPEL system is obtained as the conjunc- 
tion of the post-images of the associated VAS, denoted 



with Posty(K,Ti) := Post(Ky,T^), and the associ- 
ated RBAC4BPEL system, denoted with Post R (K,Ti) := 
Post(K R ,Tf). Thus, we abbreviate the above formula as 
Post v (K,n) A Post R (K, n ). ■ 

The proof of this fact is obtained by simple manipulations 
minimizing the scope of applicability of 3x and 3xcd, re- 
spectively, and then realizing that the proofs of Facts [T] and [2] 
can be re-used verbatim. Because of the modularity of post- 
image computation, it is possible to modularly define the 
set of forward reachable states and the symbolic execution 
trees for VAS+RBAC4BPEL systems in the obvious way. By 
modularity, we can easily show the following property. 

Property 2: Let PN := (P,T,F) be a an acyclic WF 
net, {x, Inv{x), {t^ (x, x') | i = 1, ...,n}) be its associated 
VAS, and (p, In R (p), {Tf(p,p') | i = l,...,n}) be the 
RBAC4BPEL system with n u users and k be the maxi- 
mal length of the existential prefixes of t^,...,t^-. Then, 
the symbolic reachability tree of the VAS+RBAC4BPEL 
system whose associated VAS and RBAC system are 
those specified above is ^-complete for every I > 
m«n(maa: 7re n{^en(7r|T)}, n£ x |T|). ■ 

The key observation in the proof of this property is that in 
order to take a transition, the preconditions of the associated 
VAS and of the associated RBAC4BPEL system must be 
satisfied. Because of the modularity of the post-image, the 
duality between the set of forward reachable states and the 
formulae labeling the symbolic execution tree can be lifted to 
VAS+RBAC4BPEL. We are now ready to state and prove the 
main result of this paper. 

Theorem 1: Let PN := (P,T,F) be a an acyclic WF net 
and let (x, Inv(x), {t^(x,x') \ i = 1, ...,n}) be its associated 
VAS. Further, let (p, In R (p), {T^(p,p') \ i — 1, n}} be an 
RBAC4BPEL system with a bounded number of users. Then, 
the symbolic reachability problem of the VAS+RBAC4BPEL 
system (whose associated VAS and RBAC4BPEL system are 
those specified above) is decidable. ■ 

To mechanize this result, we can use off-the-shelf a state-of- 
the-art Satisfiability Modulo Theories solver such as Z3 lfl5ll 
that are capable of automatically discharging the proof obliga- 
tion generated by the iterated computation of the post-image 
in the structures underlying the VAS+RBAC4BPEL system. 

To illustrate the kind of formulae arising in the application 
of Theorem [T] we consider the example specified in Fig. [2] In 
this case, we can restrict to consider three paths (projected 
over the transitions) in the WF net: crtPO, apprPO, 'flow 
split', signGRN, ctrSignGNR, crtPay, 'flow join', apprPay; 
crtPO, apprPO, 'flow split', signGRN, crtPay, crtSignGRN, 
'flow join', apprPay; and crtPO, apprPO, 'flow split', crtPay, 
signGRN, ctrsignGRN, 'flow join', apprPay; each one of 
length eight. It is easy to see that only the first path is to be 
considered as the other two produce states that are equivalent 
since it does not matter at what time crtPay is executed 
with respect to signGRN and ctrSignGNR (it is possible to 
mechanize also this check but we leave out the details for 
lack of space). So, for example, it is possible to check the 
so-called soundness of workflows lfl6l . i.e. to check whether 



it is possible to terminate without "garbage" left. In terms 
of a WF net, this means that no tokens are left in places 
other than the special final place o of the net. This can be 
checked by computing the post-images of the initial state of the 
VAS+RBAC4BPEL system of our motivating example along 
the lines of Facts [T] [2] and [3] and put this in conjunction with 
the formula characterizing the "no-garbage" condition, i.e. 

9 

^10 > 1 A f\ x, = 0. 
1=1 

The resulting proof obligation, because of the closure under 
post-image computation of the VAS and the RBAC4BPEL sys- 
tem as well as the modularity of the post-image computation 
for the VAS+RBAC4BPEL system, is decidable as it can be 
put in the form ipy A <p R where ipy is a formula of LA (whose 
satisfiability is decidable) and ip R is a BSR formula (whose 
satisfiability is again decidable), and thus the satisfiability of 
their conjunction is also decidable. 

IV. Analysis of an industrial case study 

We have implemented a prototype tool, called WSSMT, that 
allows the user to explore the symbolic execution tree of a 
VAS+RBAC4BPEL system. WSSMT features a client-server 
architecture where the server is the Z3 SMT solver while the 
client (implemented in Java as an Eclipse plug-in) takes a two- 
level transition system and generates the proof obligations for 
solving the reachability problem as discussed in Theorem [T] 

We have first applied WSSMT on the example described 
in §|ll] to validate our ideas and then we have considered 
a more significant example, inspired by an industrial case 
study, i.e. the Digital Contract Signing (DCS, for short). The 
scenario consists of two signers having secure access to a 
trusted third party, called a Business Portal (BP), in order 
to digitally sign a contract. To achieve this goal, each signer 
sets the contract's conditions by communicating them to BP, 
which creates a digital version of the contract, stores it, and 
coordinates the two signers in order to obtain their signatures. 
The DCS process is successful when both signers provide 
genuine signatures for the digital contract and the BP can 
permanently store the signed copy of the contract. 

The WF level specification of the DCS consists of four 
BPEL processes: one for the BP, one for the two instances of 
the signers, one for the service checking the signature, and one 
for the service archiving the contract. To create the composed 
BPEL process out of the four components, we have used the 
BPEL2oWFN tool 1 5 1 that is also capable of generating a Petri 
net representation of the resulting process. We have modified 
the tool in order to generate the associated VAS as described 
in § III-C As a result, we have obtained a VAS with 50 integer 



variables and 26 transitions. 

The PM level specification of the DCS has been manually 
specified as there seem to be no available tool for mechanizing 
this task. More precisely, we have specified an RBAC4BPEL 
system along the lines of 



III-D The set U of users is 



composed of five users: two signers, the BP, one checking 
the signature, and one archiving the contract; the set R of 



roles contains four roles corresponding to each BPEL process; 
the set P of permissions lists 24 elements corresponding to 
the right of executing the 26 transitions (2 transitions do not 
need authorization constraints because they are 'flow split' and 
'flow join' as in the Petri net in Fig. [2] and are thus used only 
for synchronization at the WF level); the relation ua prescribes 
the obvious associations between users and roles (e.g., the two 
users willing to sign the contract belong to the role of signers); 
and the relation pa also associates the 24 permissions to the 24 
transitions that need authorization constraints. Finally, we have 
added SoD (e.g., the user signing the contract should not be the 
same as the one checking the validity of the signature on the 
contract) and BoD (e.g., the users signing the contract should 
be same that have agreed on the conditions of the contract) 
authorization constraints. 

The property that we would like to check for the DCS 
is that once a signed contract has been permanently stored, 
its signatures have been checked valid and belong to the 
users who provided the conditions in the contract. Indeed, 
to be formalized and then verified, this property requires the 
specification of the manipulation on the data (mainly, the 
contract) exchanged by the various BPEL processes. As we 
already observed, this is difficult if not impossible for tools 
like BPEL2oWFN as they consider only the control flow. One 
of the main advantages of using (fragments of) FOL as done 
in this paper is the flexibility of adding features to an available 
specification so as to refine it and to allow for the verification 
of more complex properties such as the one mentioned above. 
As a consequence, we have manually added to the avail- 
able specification of the DCS a description of the messages 
exchanged among the various processes and how they are 
generated or modified by using well-known techniques for 
the specification of message-passing systems in FOL (see, 
e.g., ifTTIl ). For example, we were able to characterize the 
BPEL notion of 'correlation set', i.e. messages passed around 
contain key fields (e.g., user IDs or any business-application- 
specific identifiers) that can be correlated for the lifetime of the 
exchange and, e.g., enabled the BP to distinguish the messages 
sent by the first signer from those of the second. This kind 
of information, which is crucial for proving properties of the 
kind specified above, is lost while generating the Petri net by 
using tools such as BPEL2oWFN. 

As a result, with our refined model of the DCS, we were able 
to verify the property about the contracts that are permanently 
stored given above in less than 10 seconds on a standard 
laptop. This is an encouraging result about the scalability of 
our techniques. 

V. Conclusion 

We have described automated analysis techniques for the 
validation of a class of web services specified in BPEL and 
RBAC4BPEL. We have used decidable fragments of FOL to 
describe the state space of this class of services and then used 
the state-of-the-art SMT solver Z3 to solve their reachability 
problems. We have applied our techniques to the verification 
of a digital contract signing service by using a prototype tool. 



The success in solving this verification is due to the flexibility 
of our specification framework that allowed us to precisely 
capture the interplay between the control flow, the data flow, 
and the access-control level of the service. As future work, 
we plan, for instance, to extend our decidability results to 
WF nets containing restricted form of loops and extensions of 
RBAC4BPEL with delegation. 
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Appendix 
Proofs of 



III-C 



facf[7j Post{K, t{) is equivalent to K[xj+1, Xk—l, xi]A 
AieP Xi — 0> where K[xj +1, xj.— 1, xi] denotes the formula 
obtained by replacing x'j with Xj — 1 for j E U + , x' k with 
Xfe — 1 for k E U~, and x\ with X{ + 1 for j E U = . 

Proof: Preliminarily, note that if Xj — x 
Xj — 1 for j E U + , and if Xk = x' k — 1 then x' k = Xt- 
kEU 



1 then x'j = 
1 for 



Then, observe the following simple calculations: 

Post(K,n) 

3x' lt ...,x' n .(K(x') An{x',x)) 
3x' 1 ,...,x' n .(K(x' 1 ,...,x' n )A 
/\ x t >0A f\ Xj = x'j + 1 A 

A X k 

keu~ 



[by definition of Post] <4> 
[by definition of Tj] 



ll-lA 



A 

l£U= 



[by replacement] 



[by a property of 3] 



3x' .(K[xj + l,x k — l,xi] A 

f\x t >0A f\ X 

ieP jeu+ 

f\ x k = x' k - 1 A 
keu~ 
K[xj 



x'j + 1 A 



[by a property of 3] 



l,x k 
Bx!.( A x. 

A ^fe = 3 

*;€£/- 

K[xj 



A ^ = x {) 

ieu= 

l,x t ]A /\ x t >0A 
x'- - 1 A 



4 + 1 a A x l= x 'l) 
ieu= 

l,x k - l,x t ] A A x i > n - 



This concludes the proof. ■ 
Lemma [7J Let PiV := (P,T,F) be an acyclic workflow 
net and II be the set of all its paths. Then, the set of 
forward reachable states of the VAS (x, In(x), {rj(x,x') | i = 
1, ...,«}) associated to PN is identified by the formula 
FR £ (t, In) for I — maa;. lr6 n{^en(7r|<r)}, where tt\t is the 
sequence obtained from it by forgetting each of its element in 
P and Zen(7r|T) is the length of the sequence w\t- 

Before proving the Lemma, we instantiate the notion of 
symbolic execution tree (introduced in § III-B i to VASs so 



that we can use it in the proof of the results in this part. The 
symbolic execution tree of a VAS is a labeled tree defined as 
follows: (i) the root node is labeled by the formula In, (ii) a 
node n labeled by the formula K has d < n sons m,...,nd 
labeled by the formulae Post(ri, K), Posted, K) such 
that Post(rj, K) is satisfiable in the underlying model of 
the VAS and the edge from n to nj is labeled by tj for 
j = l,...,d, (iii) a node n labeled by the formula K has 
no son, in which case n is a. final node, if Post(rj, K) is 
unsatisfiable in the underlying model of the VAS, for each 
j = 1, n. A symbolic execution tree of a VAS is Q-complete 
if it consists of the root node labeled by the formula In, it is 
(d + l)-complete for d > if its depth is d + 1 and for each 



node n labeled by a formula K n at depth d, if Post(Tj, K n ) 
is satisfiable, then there exists a node n' at depth d+ 1 labeled 
by Post(rj,K n ). 

Property 3: Let (x, In(x), {rj(a;, x') \ i = l,...,n}) be a 
VAS. The disjunction of all the formulae labeling a <i-complete 
symbolic execution tree of the VAS above is logically equiv- 
alent to FR e (r, In), where r :~ V"=i T i- 

Proof: First of all, observe that Post distributes over 
disjunction, i.e. 

Post(r, K) 

[by definition of Post] 3x'.(K(x') A n(x',x)) 

71 

[by definition of r] 3x'.(K(x') A \J Ti(x',x)) 

i=i 

n 

[by property of A, V, 3] \J 3x'.(K(x') A Ti(x',x)) 

i = l 
n 

[by definition of Post] \J Post(ri,K). 

i=i 

Then, the property follows by a simple induction on the depth 
of the symbolic execution tree. ■ 

Interestingly, we observe that the fix-point checks are al- 
ways successful for every formula FR e (r, In) with £' > 
maa; 7 rgn{^en(7r|T)}, since FR l (r,In) — FR e (r, In) as no 
transition is enabled in FR £ (t, In). We can rephrase this in 
terms of the symbolic execution tree as follows. 

Property 4: Let PN := (P,T,F) be an acyclic WF net. 
The symbolic execution tree of the VAS associated to PN is 
^-complete for every I > max^^u^en^T)}. 

Proof sketch: This is a consequence of the previous 
property and the observation that FR e (r,In) — FR e (r, In) 
for every t' > maa; 7I - 6 n{'en(7r|T)}- ■ 

Now, we establish a connection between (projections of) 
paths in a Petri net and (projections of) paths in a symbolic 
execution tree. 

Property 5: Let PN := (P, T, F) be a Petri net, and II be 
the set of all its paths. Then, for each n € II, there exists a 
path 7r' in the symbolic execution tree of the VAS associated 
to PN such that tt\t = tt'\t- The vice versa also holds, i.e. for 
each 7r' in the symbolic execution tree of the VAS associated 
to PN, there exists a path n E II such that tt\t = tt'\t- 

Proof sketch: This is a consequence of the previous 
property and the fact that sets of reachable markings of Petri 
nets and sets of reachable states of associated VASs are in a 
one-to-one correspondence. ■ 

Lemma [TJ is a consequence of the last property above and 
the fact that all the paths in the net are of bounded length so 
that it is possible to compute the one with maximal length. 



Proofs of § |III-D| 
facf[2]- Post(K,Ti) is equivalent to 

(3u.(K(xcd) A xcd(v,j,t) A £(u, xcd))) V 
(3u.(K[Xx, y.(^(x = Uj Ay = t) A xcd(x, y))\ A 

£[u, \x, y.(—<(x = Uj A y = i) A xcd(x, y))])) , 

where K[Xx, y.(^(x — u 3 Ay — t)Axcd(x, y))] is the formula 
obtained from K by substituting each occurrence of xcd' with 



the A-expression in the square brackets and then performing 
the /3-reduction and similarly for £[u, Xx,y.(^(x = Uj A y = 
t) A xcd(x,y))]. 

Proof: First of all, observe the following. Assume xcd = 
Xx,y.((x = UjAy = t)V xcd' (x,y)). We have (a) xcd' = xcd 
if xcd(uj,t) holds and (b) xcd' = Ax,y.(->(x — Uj A y = 
t)Axcd(x, y) otherwise (i.e. when -^xcd(uj,t)). Now, consider 
the following simple transformations: 

Post(K, Ti) 

Bxcd' .(K(xcd') A n(xcd' ,xcd)) 

Bxcd'. (K (xcd') A Bu.(£(u, xcd') A 

Vx, y.(xcd(x, y) ((x = Uj A y = t) V xcd' (x, y))))) 

Bxcd' .(K (xcd') A 

Bu.((xcd' (uj , t) V -^xcd'(u 3 ■ , t)) A £(u, xcd') A 
Vx, y.(xcd(x, y) ((x = Uj A y = t) V xcd' (x, y))))) 
<S> Bxcd' .(K (xcd') A 

(Bu.((xcd'(uj,t)) A£(u, xcd') A 

Vx, y.(xcd(x, y) o ((x = Uj A y = t) V xcd' '(x, y))))) V 
(Bu.((^xcd' (uj , t)) A £(u, xcd') A 
Vx, y.(xcd(x, y) o ((x = Uj A y = t) V xcd' '(x, y)))))) 
<S> Bxcd' .(K (xcd') A 

(Bu.((xcd'(uj,t)) A£(u, xcd') A 
Vx, y.(xcd(x, y) xcd' (x, y)))) V 
(3M.((-ia;cd'(jij, t)) A £,(u, xcd') A 

Vx, y.(xcd(x, y) ((x = Uj A y = t) \/ xcd' (x, y)))))) 

Bxcd' .(K (xcd') A 

(Bu.((xcd' (uj , t)) A £,(u, xcd') A 

Vx, y.(xcd(x, y) 4$ xcd' (x, y)))) V 

(Bu.((-^xcd' (uj , t)) A £,(u, xcd') A 

Vx, y.(xcd'(x, y) <^ (~^(x = Uj A y = t) A xcd(x, y)))))) 
Bxcd' .( 

(Bu.(K(xcd') A (xcd'(uj,t)) A £(m, xcd') A 
Vx, y.(xcd(x, y) <s=> xcd' (x, y)))) V 
(Bu.(K(xcd') A (^xcd'(uj,t) A £(u, xcd') A 
Vx, y.(xcd'(x, y) <t4> (-i(x = Uj A y = t) A xcd(x, y)))))) 
(Bu.(K(xcd) A (xcd(uj,t)) A£,(u,xcd))) V 
(Bu.(K[\x,y.(^(x = Uj A y = t) A xcd(x,y))] A 
Ax, y.(-i(x = Uj A y = t) A xcd(x, {/))])). 

This concludes the proof. ■ 
For completeness, as done for VASs, we instantiate the 
notion of symbolic execution tree (introduced in § III-B I 



to RBAC4BPEL systems. The symbolic execution tree of a 
RBAC4BPEL system is a labeled tree defined as follows: (i) 
the root node is labeled by the formula In, (ii) a node n labeled 
by the formula K has d < n sons m,...,rig labeled by the 
formulae Post(ri, K), Posted, K) such that Post(rj,K) 
is satisfiable in the underlying model of the RBAC4BPEL and 
the edge from n to rij is labeled by ta for j = l,...,d, (iii) 
a node n labeled by the formula K has no son, in which 
case n is a final node, if Post(rj, K) is unsatisfiable in the 
underlying model of the RBAC4BPEL, for each j = 1, ...,n. 
A symbolic execution tree of a RBAC4BPEL system is 0- 
complete if it consists of the root node labeled by the formula 
In, it is (d + l)-complete for d > if its depth is d + 1 
and for each node n labeled by a formula K n at depth d, 



if Post(Tj, K n ) is satisfiable, then there exists a node n' at 
depth d + 1 labeled by Post(rj, K n ). 

Property 6: Let (p, In(p), {Tj(p,p') | i = l,...,n}) be 
a RBAC4BPEL system. The disjunction of all the for- 
mulae labeling a d-complete symbolic execution tree of 
the RBAC4BPEL system above is logically equivalent to 
Fi? £ (r, In), where r := V™=i Ti - 

The proof is almost identical to that of Property [3] and it is 
thus omitted. 

Proofs of § |III-E| 

Preliminarily, we modularly define the sequence of formulae 
characterizing sets of forward reachable states and the sym- 
bolic execution trees of VAS+RBAC4BPEL systems by re- 
using the associated VAS and RBAC4BPEL system. 

For the formulae describing the set of forward reach- 
able states, define the following sequence, by recursion: 
FR°(K,t) := K and FR i+1 (K, r) := (Post^FW ,t) A 
Post l R {FR\T))y FR 1 {K,t) for i > 0, K := K V AK R , K v 
is a formula of LA, Kr is a BSR formula, and r := Vfe=i r «- 

For the symbolic execution system of a VAS+RBAC4BPEL 
system, preliminarily introduce the following two labeling 
functions. Given a node of the symbolic execution tree for a 
VAS+RBAC4BPEL system, the VAS-labeling function returns 
Post\f(FR\T) while the RBAC4BPEL-labeling function re- 
turns Post l R (FR l , t). Then, the symbolic execution tree of 
a VAS+RBAC4BPEL system is a (multi-)labeled tree defined 
as follows: (i) the root node is VAS-labeled by the formula 
In v and RBAC4BPEL-labeled by the formula In R , (ii) a 
node n VAS-labeled by the formula K v and RBAC4BPEL- 
labeled by the formula Kr has d < n sons m, ...,nd, each 
rij is VAS-labeled by the formula Postv(rj, K) such that 
Posty (t, , K) is satisfiable in the structure underlying the 
associated VAS and it is RBAC4BPEL-labeled by the formula 
Postft(Tj, K) such that Post^Tj, K) is satisfiable in the 
structure underlying the associated RBAC4BPEL system, and 
the edge from n to nj is labeled by Tj for j = 1, d, (iii) a 
node n labeled by the formula K has no son, in which case n 
is a final node, if both Posty (tj , K) is unsatisfiable modulo 
Linear Arithmetic and Postn(rj,K) is unsatisfiable modulo 
the BSR theory, for each j = 1, ...,n. A symbolic execution 
tree of a VAS+RBAC4BPEL system is 0-complete if it consists 
of the root node VAS-labeled by the formula Iny and RBAC- 
labeled by the formula Inn, it is (d + Incomplete for d > 
if its depth is d + 1 and for each node n labeled by a formula 
K n at depth d, if both Posty{Tj, K n ) is satisfiable modulo 
LA and Postn(Tj, K n ) is satisfiable modulo the BSR theory, 
then there exists a node n' at depth d + 1 VAS-labeled by 
Post v (T 3 ,K n ) and RBAC4BPEL-labeled by Post R (Tj, K n ). 

Property 7: Let (x, p, Iny (x) A Inn(p), {t^ (x,x') A 
T?{p,ll) I i = 1, ».,"}) be a VAS+RBAC system. The 
disjunction of the conjunction between the VAS-labeling and 
RBAC-labeling formulae of all the nodes in a <i-complete 
symbolic execution tree is logically equivalent to FR e (r, In), 
where r := V™ = i n- 



The proof is along the lines of that of Property [3] and uses 
the modularity of the post-image computation (see Fact[3]l. 

We are now ready to prove the main result of the paper. 
Theorem [7} Let PN := (P,T,F) be a an acyclic 
WF net and (x, Inv(x), {t^ (x,x') | i — l,...,n}) be its 
associated VAS. Furthermore, let (p,Init(p),{Tf t {p,p') | i = 
l,...,n}) be the RBAC system with a finite and known 
set of users. Then, the symbolic reachability problem of 
the VAS+RBAC4BPEL system whose associated VAS and 
RBAC4BPEL system are those specified above is decidable. 

Proof: Let Gy(x) A Gr(p) be a goal formula such that 
Gy is a LA formula and Gr be a BSR formula. By Property|2] 
we know that there exists a bound I > such that for every 
t > 1, the symbolic execution tree of the VAS+RBAC4BPEL 
system is ^-complete. Furthermore, by Property [7] we know 
that the disjunction of all VAS-labeling and RBAC4BPEL- 
labeling formulae is equivalent to FR e (r, In). Because of the 
l-completeness of the symbolic execution tree, we know that 
FR £ (t, In) is a fix-point; hence, FR 1 (t, In) describes the set 
of all forward reachable states of the VAS+RBAC4BPEL sys- 
tem. By induction on the length of the sequence FR°, FR 1 , ... 
of formulae, it is easy to show that each FR 1 is equivalent to 
the conjunction between a formula of Linear Arithmetic, say 
FR V , and a BSR formula, say FR l R . Hence, we conclude that 
FR e (r,In) is equivalent to FR V A FR e R . Thus, in order to 
solve the goal reachability problem, it is sufficient to check 
the satisfiability of the following formula: 

(FR J V AFR J R ) A (Gv(x)AG B (p)) 

modulo the union of LA and the BSR theory. This problem 
can be reduced to two separate satisfiability problems modulo 
a single theory, namely: (i) checking the satisfiability of 

FR J V A G v (x) 

modulo Linear Arithmetic and (ii) checking the satisfiability 
of 

FR J R A G R (p) 

modulo the BSR theory. Both of these problems are well- 
known to be decidable and hence the overall problem is 
decidable. This concludes the proof. ■ 



